CWE-824 vs CWE-457

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE-824 vs CWE-457

Amy Gale
Hello all,

I am interested in the relationship between
CWE-824: Access of Uninitialized Pointer
and
CWE-457: Use of Uninitialized Variable

These seem closely related conceptually, and both cite CVE-2007-4682 as
an observed example, but the CWE hierarchy structure doesn't indicate
any particularly close relationship. Is this an accidental omission, or
is there an important distinction that I'm not understanding?

sincerely,
Amy Gale
Reply | Threaded
Open this post in threaded view
|

Re: CWE-824 vs CWE-457

Steven M. Christey-3
On Tue, 18 Dec 2012, Amy Gale wrote:

> I am interested in the relationship between
> CWE-824: Access of Uninitialized Pointer
> and
> CWE-457: Use of Uninitialized Variable
>
> These seem closely related conceptually, and both cite CVE-2007-4682 as an
> observed example, but the CWE hierarchy structure doesn't indicate any
> particularly close relationship. Is this an accidental omission, or is there
> an important distinction that I'm not understanding?

I would say that this is an accidental omission that requires multiple
changes to CWE.  However, we were aware that CWE-457 and its relatives
needed closer investigation.  There are several complications.

First, note that CWE-457 is a child of CWE-456, Missing Initialization.
Yet maybe this relationship should be a chain instead - not initializing a
variable (CWE-457) can lead to use of that uninitialized variable
(CWE-456).

Also note that while the name of CWE-456 is the very general "Missing
Initialization," its description and examples focus entirely on variables.
So, CWE-456 is really only about variables (and we should change the name
to make this more clear).

We don't have separate CWEs for "access of an uninitialized resource" and
"missing initialization of a resource," although it would probably be very
useful to create them.  We do have CWE-665: Improper Initialization, which
effectively covers both of these concepts, so CWE-665 could be a parent of
these two new entries.  CWE-824 could then be classified under the new CWE
for "access of an uninitialized resource," and CWE-457 would be classified
under the new CWE for "use of an uninitialized resource" - and they would
share the same grandparent, CWE-665.

Thank you for raising this issue!

- Steve